RSS feed

Re: nslcd feature request (combined pam_authz_search)

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd feature request (combined pam_authz_search)

On Mon, 2012-04-23 at 21:53 +0400, Lior Goikhburg wrote:
> Here is a situation: I need to perform two different searches before
> authenticating a user:
> * a user object should have a attribute "host" set to the $hostname of
> the machine
> * a host object of $hostname shoud have an attribute "mode" set to
> "active"
> It would be possible if I could specify more than one pam_authz_search
> parameter in nslcd.conf file.
> A possible config block could look like this:
> pam_authz_search 
> (&(objectClass=posixAccount)(uid=$username)(|(host=$host)(host=$fqdn)))
> pam_authz_search (&(objectClass=server)(mode=active))
> satisfy any
> Any thoughts ?

It sounds interesting but I personally don't like the satisfy any syntax
much (Apache ACL's are a bit too complex for my taste).

Anyway, you can already accomplish the above, if it is OK if either of
the searches return any results, with the following:


Also note that you can use objectClass=$hostname instead of

-- arthur - - --
To unsubscribe send an email to or see